introduction to mobile forensicsjtag joint test action group the examiner connects to taps (test...
TRANSCRIPT
![Page 1: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/1.jpg)
INTRODUCTION TO MOBILE FORENSICS
Joe Walsh
DeSales University
![Page 2: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/2.jpg)
BACKGROUND
Cellular Industry
Police Officer
Internet Crimes Against Children Task Force Detective
FBI Task Force Officer
Private Sector
Adjunct Professor
Full-time Instructor at DeSales University
![Page 3: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/3.jpg)
BACKGROUND
B.S. in Information Systems
M.A. in Criminal Justice/Digital Forensics
Over 1000 hours of training
Specialized training in JTAG and chip-off
Several certifications
Testified in court as an expert in computer crime and digital forensics
![Page 4: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/4.jpg)
BACKGROUND - CERTIFICATIONS
International Information Systems Security Certification Consortium – Certified Information Systems Security Professional (CISSP) and Certified Cyber Forensics Professional (CCFP)
CompTIA – A+, Network+, Security+, CompTIA Advanced Security Practitioner (CASP)
EC-Council Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI)
International Society of Forensic Computer Examiners (ISFCE) Certified Computer Examiner (CCE)
International Assurance Certification Review Board (IACRB) Certified Computer Forensics Examiner (CCFE)
Guidance Software EnCase Certified Examiner (EnCE)
AccessData Certified Examiner (ACE)
![Page 5: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/5.jpg)
WHAT IS A MOBILE DEVICE?
Cellular phones
Tablet computers
MP3 players
e-Readers
Wearable devices
![Page 6: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/6.jpg)
Why are we interested in mobile devices?
![Page 7: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/7.jpg)
MOBILE DEVICES
More than 7 billion cellular subscriptions worldwide
Portio Research Ltd. predicts there will be 8.5 billion by the end of 2016
The majority of people have a cell phone (or phones)
Most people always have their cell phone with them
Cell phones are small computers which can store an immense amount of data
Many households no longer have desktop or laptop computers
![Page 8: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/8.jpg)
INTERESTING FACTS
According to the CTIA: 4 out of 10 Americans live in a wireless-only household
1 in 10 Americans access the Internet exclusively from a smartphone
More than 90% of devices sold in the U.S. in 4Q2013 were smartphones
More than 335,650,000 active wireless lines as of Dec. 2013
![Page 9: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/9.jpg)
INTERESTING FACTS
More than 6 billion text messages and more than 330 million multimedia messages occur each day in the United States (as of December 2013, according to CTIA)
Apple announced that users send over 40 billion iMessages per day (Februrary2014)
In 2016, Apple announced that users send an average of 200,000 messages per second.
![Page 10: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/10.jpg)
Photo from ctia.org
![Page 11: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/11.jpg)
EVOLUTION OF CELL PHONES
Over the years, cell phones Have become smaller and lighter
Are less expensive (devices and service)
Are much faster
Use less power
![Page 12: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/12.jpg)
CRIMES
What crimes can be committed using a mobile device? Crimes against children
Drugs
Harassment
Terroristic threats
Murder
Civil wrongs can also be perpetrated using mobile devices
![Page 13: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/13.jpg)
MOBILE FORENSICS
Defined:“a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions” (Wikipedia)
Digital forensics “is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime” (Wikipedia)
![Page 14: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/14.jpg)
What does forensically sound mean?
![Page 15: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/15.jpg)
FORENSICALLY SOUND
Definition from a popular text book:
“term used extensively in the digital forensics community to qualify and justify the use of particular forensic technology or methodology”
![Page 16: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/16.jpg)
COMPUTER FORENSICS VS. MOBILE FORENSICS
Mobile forensics and computer forensics are different
There are unique challenges involved in mobile forensics that are not usually involved in computer forensics
![Page 17: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/17.jpg)
MOBILE FORENSICS CHALLENGES
Many different types of hardware
Large number of mobile operating systems
Security features
![Page 18: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/18.jpg)
MANUFACTURERS
Apple
BlackBerry
HTC
LG
Motorola
Samsung
ZTE
![Page 19: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/19.jpg)
MOBILE PHONE OPERATING SYSTEMS
Android
BlackBerry OS
iOS
Windows Phone
Many different proprietary operating systems
![Page 20: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/20.jpg)
![Page 21: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/21.jpg)
What are the phases of mobile forensics?
![Page 22: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/22.jpg)
MOBILE FORENSICS PROCESS
Seizure
Acquisition
Examination/analysis
![Page 23: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/23.jpg)
SEIZURE
Ensure that appropriate legal authority exists before seizing
Determine the make, model, and IMEI/MEID/serial number
Determine the goals of the examination
Wear gloves when handling evidence
![Page 24: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/24.jpg)
WHERE IS THE DATA STORED?
Data can be stored in four different locations: On the phone
On the SIM card inside the phone
On the memory card inside the phone
In the “cloud”
In the cellular provider’s records
![Page 25: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/25.jpg)
![Page 26: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/26.jpg)
Photo from wisegeek.com
![Page 27: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/27.jpg)
Photo from t-mobile.com
![Page 28: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/28.jpg)
![Page 29: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/29.jpg)
Photo from wikipedia.com
![Page 30: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/30.jpg)
COMMUNICATION TYPES
Phone calls
SMS
MMS
Data
![Page 31: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/31.jpg)
AVAILABLE RECORDS
Depends on the carrier
Call detail records (CDR)
Detail records for SMS/MMS messages
Detail records for data usage
![Page 32: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/32.jpg)
![Page 33: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/33.jpg)
CELL PHONE PROVIDERS
Verizon
AT&T Mobility
Sprint
T-Mobile
![Page 34: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/34.jpg)
![Page 35: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/35.jpg)
REGIONAL CELL PHONE PROVIDERS
US Cellular
![Page 36: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/36.jpg)
MVNO
Mobile virtual network operator TracFone
NET10 Wireless
420 Wireless
H2O Wireless
Republic Wireless
![Page 37: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/37.jpg)
![Page 38: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/38.jpg)
IDENTIFYING THE CARRIER
FoneFinder
WhitePages
![Page 39: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/39.jpg)
NUMBER PORTABILITY
Allows consumers to bring their phone number to a new carrier
Neustar administers the Number Portability Administration Center
![Page 40: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/40.jpg)
NON-TRADITIONAL PHONE SERVICE
Google Voice
![Page 41: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/41.jpg)
PRESERVATION REQUEST
Investigators should consider submitting a preservation request to preserve records before they are no longer available
Generally offer the investigator 90 days to obtain and serve legal process
![Page 42: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/42.jpg)
OBTAINING RECORDS
Legal Process
Contact the service provider to determine the records that are available and any specific language that should be used
Request instructions for interpreting records
Consider using the term “communication log”
Talk to your prosecutor
![Page 43: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/43.jpg)
![Page 44: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/44.jpg)
SEIZING TANGIBLE EVIDENCE
Evidence could be stored on a variety of different types of devices
Evidence could be stored on multiple devices
Evidence could be stored in multiple locations
Be aware of very small and disguised devices
![Page 45: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/45.jpg)
PROTECTING EVIDENCE
Photograph items before seizing
You may want to bring a forensic examiner with you when executing the search warrant
Consider RAM capture for desktop and laptop computers
Place cellular devices in Airplane Mode if possible
Don’t forget about fingerprints and DNA evidence
![Page 46: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/46.jpg)
CELL PHONES
General rules for cell phones: If they are powered on, then leave them on
If they are powered off, then leave them off
If they are on, place the device in a Faraday bag to prevent wireless communications
![Page 47: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/47.jpg)
Photo from faraday-bags.com
![Page 48: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/48.jpg)
![Page 49: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/49.jpg)
Photo from rascalmicro.com
![Page 50: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/50.jpg)
Photo from amazon.com
![Page 51: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/51.jpg)
Photo from androidcentral.com
![Page 52: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/52.jpg)
HOW MUCH DATA IS 200GB?
3,500,000 Word documents
55,000 PowerPoint presentations
120,000 high resolution photos
45,000 songs
100 full length movies
![Page 53: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/53.jpg)
Photo from tricksdaddy.com
![Page 54: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/54.jpg)
Photo from tricksdaddy.com
![Page 55: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/55.jpg)
Photo from tricksdaddy.com
![Page 56: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/56.jpg)
Photo from tricksdaddy.com
![Page 57: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/57.jpg)
Photo from tricksdaddy.com
![Page 58: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/58.jpg)
Photo from tricksdaddy.com
![Page 59: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/59.jpg)
Photo from tricksdaddy.com
![Page 60: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/60.jpg)
Photo from tricksdaddy.com
![Page 61: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/61.jpg)
Photo from tricksdaddy.com
![Page 62: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/62.jpg)
Photo from tricksdaddy.com
![Page 63: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/63.jpg)
Photo from tricksdaddy.com
![Page 64: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/64.jpg)
Photo from funcage.com
![Page 65: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/65.jpg)
Photo from hasee-xing.com
![Page 66: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/66.jpg)
Photo from pinterest.com
![Page 67: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/67.jpg)
Photo from ruamhua.com
![Page 68: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/68.jpg)
Photo from promokeychain.com
![Page 69: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/69.jpg)
Photo from wonderhowto.com
![Page 70: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/70.jpg)
Photo from bestbuy.com
![Page 71: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/71.jpg)
EXAMINATION/ANALYSIS
The examination/analysis will depend on the type of data you are looking for
![Page 72: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/72.jpg)
ANALYZING TANGIBLE EVIDENCE
Prevent officers from “taking a peek” at the evidence
Submit the evidence to a qualified examiner
You may need the examiner’s assistance when reviewing the results
![Page 73: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/73.jpg)
What types of data will be found?
![Page 74: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/74.jpg)
TYPES OF DATA
• Address book
• Call history
• SMS
• MMS
• Web browser history
• Photos
• Videos
• Music
• Documents
• Calendar
• Notes
• Maps
• Social networking data
• Application data
• Deleted data
![Page 75: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/75.jpg)
RULES OF EVIDENCE
For evidence to be admissible, it must be:- Authentic- Complete- Reliable- Believable
![Page 76: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/76.jpg)
PROPER FORENSIC PRACTICES
Secure the evidence
Preserve the evidence
Document the evidence
Document all changes
![Page 77: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/77.jpg)
![Page 78: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/78.jpg)
EASIEST METHOD FOR LOCKED PHONES
What is the easiest way of dealing with a locked phone?
Ask the suspect for the password!
![Page 79: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/79.jpg)
SMUDGE ATTACK
It may be possible to view the suspect’s pattern
![Page 80: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/80.jpg)
Photo from guardianproject.info
![Page 81: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/81.jpg)
MICROSD CARD
Even if the phone is locked, the examiner may be able to locate valuable evidence on the microSD card
![Page 82: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/82.jpg)
JTAG
Joint Test Action Group
The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone
![Page 83: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/83.jpg)
Photo from binaryintel.com
![Page 84: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/84.jpg)
CHIP OFF
The memory “chip” is removed from the device and placed in a special reader
![Page 85: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/85.jpg)
Photo from binaryintel.com
![Page 86: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/86.jpg)
Photo from up48.com
![Page 87: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/87.jpg)
ASSISTANCE FROM THE MANUFACTURER
You may be able to obtain assistance from the manufacturer
FBI vs. Apple
![Page 88: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/88.jpg)
INTANGIBLE EVIDENCE
Intangible evidence can be just as valuable as tangible evidence (sometimes more valuable)
Examples include Email messages
Cloud storage
Social networking profiles
![Page 89: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/89.jpg)
INTANGIBLE EVIDENCE
Investigators should look for and seize intangible evidence
Examples include Email messages
Cloud storage
Social networking profiles
![Page 90: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/90.jpg)
GMail
Hotmail/Outlook.com
iCloud Mail
Yahoo Mail
Mail.com
Inbox.com
![Page 91: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/91.jpg)
CLOUD STORAGE
Dropbox
Google Drive
Box
Microsoft OneDrive
![Page 92: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/92.jpg)
SOCIAL NETWORKING
Google Plus
Tumblr
![Page 93: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/93.jpg)
ADDITIONAL TRAINING
Forensic Product Vendors – Cellebrite, XRY, Lantern
DeSales University
Internet Crimes Against Children Task Force
Federal Law Enforcement Training Center
United Stated Secret Service
National White Collar Crime Center (NW3C)
![Page 94: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/94.jpg)
DESALES UNIVERSITY
Bachelor of Arts in Criminal Justice – Digital Forensics Track
Master of Arts in Criminal Justice – Digital Forensics concentration
Graduate Certificate in Digital Forensics
![Page 95: Introduction to Mobile ForensicsJTAG Joint Test Action Group The examiner connects to TAPs (Test Action Ports) to obtain an extraction of a locked or damaged phone. Photo from binaryintel.com](https://reader030.vdocuments.us/reader030/viewer/2022040208/5e311a379884501ddb6dd21e/html5/thumbnails/95.jpg)